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Abstract. We discuss classical and quantum algorithms for solvabil- 
ity testing and finding integer solutions a;,^ of equations of the form 
^ . af^ + hg^ = c over finite fields F,. A quantum algorithm with time com- 

plexity (f''^{\ogq)^^' is presented. While still superpolynomial in logq, 
pH , this quantum algorithm is significantly faster than the best known classi- 

j^ ■ cal algorithm, which has time complexity q^' *(log qy^^' . Thus it gives an 

^ ' example of a natural problem where quantum algorithms provide about 

O^. a cubic speed-up over classical ones. 

T-H ■ 

^ ■ 1 Introduction 

a^ 

^— ^ ' Let Fq be a finite field of q elements and let F* denote the multiplicative 

group of nonzero elements of F^. For a,b,c,f,g € F* we consider the 

^ ', equations 

O: ar + bgy = c (1) 

OO 

^^ . in nonnegative integers x and y. 

Equation (1) has a long history of study in number theory. In partic- 
ular, it is dual closely related to the classical problem of finding /, g G Fg 
for fixed a, b and x, y from the theory cyclotomic classes, see [2, 11], which 
5^ I looks like a dual problem to studying Equation (1) but in fact, after a 

change of variables, become equivalent. 

Furthermore, Equation (1) and variants of it also appeared in recent 
work of A. Lenstra and B. de Weger [8] and have been shown to be 
of cryptographic significance. In particular, the question about difficulty 
of finding solutions to Equation (1) has been discussed in [8] but now 
concrete results have been know before the present work. 

In the theory of quantum computing the task of finding the solutions 
to Equation (1) is of importance when trying to solve the hidden subgroup 
problem for semi-direct product groups Z/N xi "Z/p with p = 0{\/N), 



see [1], where, as usual, A = 0{B) means that A = 0{B) and B = 
0{A) (hereafter all implied constants are absolute). Furthermore it is 
also natural to consider this problem as a generalization of the discrete 
logarithm problem in Fg, which can be solved efficiently using Shor's 
algorithm [10]. 

In this article we use some number theoretic tools to design classi- 
cal and quantum algorithms that are more efficient than the brute force 
search (but unfortunately still have a running time exponential in the 
input size logq). We use our classical algorithm to measure the level 
of improvement that can be achieved by allowing quantum algorithms. 
Ignoring logg terms, the classical algorithm that we present here has 
complexity 0*{q^'^) (which seems to be the best known) whereas we 
also present a quantum algorithm with complexity 0*{q^'^), where, as 
usual, A = 0*{B) means that A = BilogB)^^' . In particular, it gives 
an example of a natural problem where quantum algorithms provide an 
asymptotically cubic speed-up over classical ones. 

Certainly if / or 51 is a primitive root, which generates all of F* then 
the problem is not harder than the discrete logarithm problem. More- 
over, in general our results suggest that finding solutions to Equation (1) 
becomes easier in case f or g is of large order, but still it appears to be 
much harder than the discrete logarithm problem. 

2 The Number of Solutions to the Equation 

2.1 The Worst Case 

Here we use bounds of multiplicative character sums over finite fields to 
show that if the orders of / and g are large enough, then Equation (1) 
has a solution with at least one reasonably small component x or y. 

Lemma 1. Let a,b,c £ F* and let f and g G ¥q be of multiplicative orders 
s and t, respectively. Then for any positive integer r < t, the equation 
af^ + bgy = c has rs/{q — 1) -|- 0{q^''^logq) solutions in nonnegative 
integers x and y with x G {0, . . . , s — 1} and y G {0, . . . , r — 1}. 

Proof. Let k = {q — l)/s and let Xk be the group of all k multiplicative 
characters x : IFg ^ C of order k, that is, x^ = XO) the principal character, 
for any x ^ '^k (see [9]). Note that for all non-empty X^ this group 
contains k elements. For any u G Fg we have 

1 ^ fl, ifu^ = l, 

k ^ 0, otherwise. 



Noting that u € ¥q belongs to the group generated by / if and only if 
u^ = 1, we derive that the number Na,b,c{T, s) of solutions to Equation (1) 
with X G {0, . . . , s — 1} and y G {0, . . . , r — 1} equals 

r-l 

j/=o xeA'fe 

Changing the order of summation and separating the term r/k corre- 
sponding to the principal character xo we obtain 



k 



r-l 

r 



^1 E x{a'')Y.x{c-hgy 



By [12, Theorem 3] (see also [5]) each summation over y is bounded by 
0{q^'^\o%q) (provided 1 < r < t), hence we have 

iVaAc(r,s) = ^ + 0(gi/2log(?), 

which concludes the proof. D 

From Lemma 1 we can immediately conclude the following. 

Corollary 1. Let a,b,c £ F* and let f and g G ¥q be of multiplicative 
orders s and t, respectively. There exists an absolute constant C > such 
that if for some integer r we have 

Cq^l'^s~^\ogq<r< t, 

then the equation af^ + bg^ = c has a solution in integers x and y with 
X £ {0, . . . ,s — 1} and y G {0, . . . , r — 1}. 

We remark that the constant C in Corollary 1 is independent of all vari- 
ables involved (a, b, c, f, g and q) and that it is effectively computable. 
This result reduces the number of (x, y) pairs that has to be searched for 
a solution to Equation (1). In Sections 3.1 and 4.1 we show how this re- 
duction can be used to construct non-trivial worst case algorithms, both 
classical and quantum. 

2.2 The Typical Case 

To solve the equation af^ + bg^ = c for typical c G Fg we now show that 
for almost all c G F* the results of Corollary 1 can be improved, which in 
turn will yield better average case algorithms for the central problem. 



Lemma 2. Let a,b,c & F* and let f and g G ¥q be of multiplicative orders 
s and t, respectively. For any positive integer r < t and 6 > 0, for all but 
q/6'^ elements c £ ¥*, the equation af^+bg^ = c has rs/q+'d5y/r solutions 
in nonnegative integers x and y with x £ {0, . . . ,s — l}, y £ {0, . . . , r — 1} 
and -1 < -i? < 1. 

Proof. Let ip :¥q ^ C he a. nontrivial additive character. We recall that 
for for any n € Fg we have 

As in the proof of Lemma 1 we use Na^b,ci''': s) to denote the number of 
solutions to Equation (1) with x G {0, . . . , s — 1} and y £ {0, . . . ,r — 1}. 
We have 

s— 1 r— 1 ^ 

x=0 y=0 ^ Xe¥g 

= v + ^EEEv'(^(«/^ + ^5^--))' 

^ ^ AgF* x=0 y=0 

which averaged over c £ ¥q equals sr/q. To calculate the variance from 
its average, we look at the value defined by 

Wa,b{r,s) = Y^ (A^a,6,c(r,s) - — ) , 
which equals 

-. s— 1 r— 1 

-E E E E i^{Maf''' + bgy'-c) + X2{af^'+bgy''-c)) 

c&gXi,X2&qXi,X2=0yi,y2=0 

^ s—l r—1 

= - E E V'(a(Airi + A2r^)) E ^(KAi<7^^+A2<7^^))x 



Ai,A2eF* xi,a;2=0 J/i,S/2=0 



ceF, 



The inner sum over c vanishes unless Ai = — A2 (in which case it is q) and 
therefore 

^ s— 1 r— 1 



AeF- 


ci,a;2=0 


yi,y'. 


=0 




s-1 li 


I r_i 


2 


^ E^(«^/") 


^V(fcA5^) 




AGF* 


x=0 1 


y=0 





It is well known that 



E^(«^/') 



x=0 



< 



.1/2 



for example, this follows from [9, Theorem 8.78] taken with fc = 1 and 
g^,g^ , . . . , g^"^ the impulse response sequence (it can also be derived from 
the bound of Gauss sums, see [9, Theorem 5.32]). Therefore 



Wa,b{r, s)<Y, 



agf„ 



s-1 



E^(«^/') 



x=0 



(note that we have added A = into the last sum). We also have the 
straightforward equality 



E 

agf„ 



r-1 



Ev'(^v 

j/=0 



AGF„ 



r-1 



j/=0 



gr 



(essentially, this is Parseval's identity, i.e. we used the unitarity of the 
Fourier transformation c 
{g^ , . . . , 5'^^^}) and thus 



Fourier transformation over Fg on the characteristic vector of the set 



ceF, 



T S 

Na,b,c{r-, s) 



< 



qr. 



Hence, for any (5 > 0, the violation 



T S 



>5^ 

holds for no more than q/S"^ values of c G F* 



D 



Using 6 = "v/Iogg in Lemma 2, we see that for all but q/\ogq = o{q) 
elements c G F* the equation 0/^ + 65^ = c has rs/q + 'd\/r\ogq solutions 
in X G {0, . . . , s — 1}, y G {0, . . . , r — 1} with — 1 < i9 < 1. Therefore we 
can immediately conclude the following. 

Corollary 2. Let a,b,c G F* and let f and g £ ¥q be of multiplicative 
orders s and t, respectively. If for some integer r we have 

q s^ logg < r <t, 

then for all but o{q) elements c G F*, the equation af^ + bg'^ = c has a 
solution in integers x and y with xG{0, ...,s — 1} and yG{0,...,r — 1}. 

3 Classical Algorithms 

3.1 Worst Case Classical Algorithm 

We start with a classical deterministic algorithm that is more efficient 
than brute search. 

Theorem 1. Let a,b,c,f,g G F* One can either find a solution x,y G 
^>o of the equation af^+bg^ = c or decide that it does not have a solution 
in deterministic time q^'^{logq)^^' on a classical computer. 

Proof. Using a standard deterministic factorization algorithm, we factor 
q — 1 and find the orders s and t of / and g in time g^' ^(log q)^^'. Assume 
without loss of generality that s > t (otherwise of the roles of s and t are 
reversed in the proof below). Let C be the constant of Corollary 1 and 
define 

Cq^^^s-^\ogq~\. (2) 

By Corollary 1, if r < t then the central equation af^ + bgy = c is solvable 
for (x, y) G {0, . . . , s — 1} X {0, . . . , r — 1}. Otherwise, if r > t, there may 
or may not be a solution with (x, y) G {0, . . . , s — 1} x {0, . . . , t — 1}. As 
a result, the following algorithm proves the theorem. 

If r < t then for every y G {0, . . . , r — 1} we evaluate a~^{c — bg^) and 
then try to compute its discrete logarithm to base /, that is, an integer 
X with /^ = a~^{c — bgy), in deterministic time s^'^(logg)^^', see [4, 
Section 5.3]. When found, the algorithm outputs (x,y) and terminates. 
The condition t>r and assumption s > t implies for s: 



s^ >st>sr> Cei'l'^ log g. 



which gives for the time complexity of this case 

r • sl/2(logg)«(l) = <73/2^,-l/2(iog^)0{l) < ^9/8(i^g^)0(l)_ 

If r > t we perform the same procedure for every y G {0, . . . , t — 1}. 
If none of the y yield a solution, the algorithm reports that the central 
equation has no solution. In this case, the condition t < r implies that 

st < sr < Cq^^"^ log q 

and since t < s, the time complexity of this case is also bounded by 

t-S^/\logqfm < (5t)3/4(logg)0(l) < g9/8(logg)0(l), 

which completes the proof. D 

It is natural to ask whether one can design a faster probabilistic al- 
gorithm. For some fields this is indeed possible due to the existence of 
subexponential algorithms for computing discrete logarithms, see [4, Sec- 
tion 6.4]. However in general probabilistic algorithms do not seem to give 
any significant advantage for our problem. 

3.2 Typical Case Classical Algorithm 

Similarly, using Corollary 2 instead of Corollary 1 and repeating the ar- 
guments of the proof of Theorem 1 with 

r=\qh-Hogq] (3) 

we obtain that for almost all c a stronger result than Theorem 1 holds. 

Theorem 2. Let a,b,c,f,g € F* For all but o{q) elements c £ ¥* one 
can either find a solution x,y £ Z>o of the equation af^ + bg^ = c or 
decide that it does not have a solution in deterministic time q{logq)'^^^> 
on a classical computer. 

4 Quantum Algorithms 

4.1 Worst Case Quantum Algorithms 

On a quantum computer one has the advantage that calculating discrete 
logarithms can be done efficiently in time {logq)'^^^' . In combination with 
the quadratic speed-up of quantum searching this gives the following 
quantum algorithm for the central problem. We start with an algorithm 
that works for any f and g. 



Theorem 3. Let a,b,c,f,g G F* One can either find a solution x,y € 
^>o of the equation af^+hgy = c or decide that it does not have a solution 
in time q^'^{logq)^^' on a quantum computer. 

Proof. We use Shor's algorithm [10] to compute s and t in polynomial 
time. Without loss of generality we assume that s > t and we define r 
by Equation (2) as in the proof of Theorem 1. A polynomial time quan- 
tum subroutine S{y) is constructed that, using Shor's discrete logarithm 
algorithm [10], for a given y either finds and returns the integer x with 
/^ = a^^{c — bg^) or reports that no such x exists. 

If r < t, then, using Grover's search algorithm [6], we search the 
subroutines S{y) for all y £ {0, . . . , r — 1} in time 

rl/2(logg)0(l) = (73/4 .,-1/2 (log g)0{l) < q^/^(logqfW. 

If r > t, we search the S{y) for all y G {0, . . . , t — 1} in time 
tl/2(logg)0{l) < (st)'/^ilogqfW < q^/^(logqfW. 

As in the proof of Theorem 1, we conclude that due to our choice of r 
we either find a solution to Equation (1) or conclude that there is no 
solution. D 

We now show that if / and g are of large order then there is a more 
efficient quantum algorithm. 

Theorem 4. Let a, b, c, f,g G F* and let f and g be of multiplicative 
orders s and t, respectively. There is an absolute constant C such that if 

st>Cq^/^{\ogqfl'^ 

then one can either find a solution x,y £ Z>o of the equation af^+bg^ = c 
or decide that it does not have a solution in time q^ ' "^ {st)'^'^ {log q)^^^' 
on a quantum computer. 

Proof. Assume without loss of generality that s > t. It follows from the 
condition of the theorem and Lemma 1 that for some appropriate constant 
C and 



Cq^/'^s'^{\ogq) 



1/2 



< t 



there are 

^ + 0(gV2iog,)>^ 

solutions to Equation (1) with x G {0, . . . , s — 1} and y G {0, . . . , r — 1}. 



We now use the version of Grover's search algorithm as described 
in [3] that finds one out of m matching items in a set of size r using 
only Oi^^JrJm) queries. Here we search the subroutines S{y) for all y G 
{0, ... , r — 1} with the promise (which follows from Lemma that there are 
m = rsji^q — 1) + 0(g^/^logg) solutions {x,y). Because for each value y 
there can be at most one value x G {0, . . . , s — 1} such that af^ + bg^ = c 
there are m different values y for which S will report a solution x, hence 
a solution will be found in time 

(r/m)i/2(logg)«(i) = q'/%-'/\logqf^'\ 

Since s > (st)-*^'^, this concludes the proof. D 

In particular, the running time of the algorithm of Theorem 4 is upper 
bounded by 0{q^/^ {log q)^^). 

4.2 Typical Case Quantum Algorithms 

Similarly to the classical case, for almost all c G Fg stronger results than 
those of Theorems 3 and 4 are possible. For example, defining again r by 
Equation (3) and arguing as in the proof of Theorem 3, we obtain the 
following result. 

Theorem 5. Let a,b,c,f,g G F* For all but o{q) elements c G F* one 
can either find a solution x, y G Z>o of the equation af^ + bg^ = c or 
decide that it does not have a solution in time q^'^[logq)^^^' on a quantum 
computer. 

Finally, taking 

r = [(7^s^^log(7j 

and using Lemma 1 in the argument of the proof of Theorem 4, we see 
that for almost all c G Fg the complexity estimate of Theorem 4 holds for 
a wider range of s and t. 

Theorem 6. Let a,b,c, f,g G F* and let f and g be of multiplicative 
orders s and t, respectively. For all but o{q) elements c G F* if 

st>q^'^{\ogqf/^ 

then one can either find a solution x, y G Z>o of the equation af^+bg^ = c 
or decide that it does not have a solution in time q^i'^{st)~^''^{\ogq)^^^' 
on a quantum computer. 



5 Connection with the Hidden Subgroup Problem 

The pretty good measurement approach [1] to the Hidden Subgroup Prob- 
lem (hsp) over the non-abehan group Z/q xi Z/p with q a prime and 
q/p'^ = (logq)^^' shows that the HSP can be solved efficiently on a quan- 
tum computer if one can efficiently solve the equation af^ + bf^ = c, 
where / has multiplicative order p in 7j/q. All algorithms presented in 
this article have superpolynomial complexity in log q and hence fall short 
of this goal. 

For this restricted problem with f = g and / of order p ~ y/q, there 
are p"^ possible solutions {x, y), hence even a classical algorithm has 0*{q) 
time complexity instead of the 0*{q^'^) of Theorem 1. Quantum mechan- 
ically, one can 'Grover search' the set of solutions x G {0, . . . ,p — 1} in 
time 0*(g^'^), which, although better than the 0*{q'^'^) of Theorem 3, is 
still far from polynomial in log q. 

6 Remarks and Open Problems 

We remark that in some finite fields classical sub exponential probabilis- 
tic algorithms are possible for the discrete logarithm problem, see [4, 
Section 6.4]. In such fields, a version of Theorem 1 can be obtained with 
an algorithm that runs in probabilistic time g^/^+°(^) , which is still much 
slower that the quantum algorithm of Theorems 3 and 4. We note that al- 
though over the last several years fast heuristic algorithms for the discrete 
logarithm problem have been designed to work over any finite field, rig- 
orous subexponential algorithms are know only for fields of special types 
(such as prime fields ¥p or binary fields F2™), see [4, Section 6.4] for more 
details. Clearly using probabilistic algorithms one can also get additional 
speed up in the classical case if the multiplicative orders s and t are large 
(similar to Theorems 4 and 6). 

To try to strengthen the presented results one can consider the ana- 
logue to Equation (1) for elliptic curves E over Fg. For example, given 
two Fq-rational points F,G G E(Fg) and the values a,b,c £ ¥q one can 
ask for solutions to the equation 

a ■ xi[u]F) + b ■ x{[v]G) = c 

in integers u and v (where x{Q) denotes the x-coordinate of a point 
Q G E(Fq) in a fixed affine model of E and [n]Q denotes the n-fold sum 
Q (BQ (B ■ ■ ■ (BQ in the group of E). Using bounds of character sums over 
subgroups of elliptic curves, see [7], one can obtain full analogues of our 



results (in fact at the cost of only typographical changes). This case is 
interesting since in the classical scenario even heuristic sub exponential 
algorithms are not known. 

But above of this all, it still remains an open problem whether or not 
there exist efficient quantum algorithms that run in time {logq)^^' for 
the determining the integer solutions x,y to the equation af^ + bg^ = c 
and even the more restricted version af^ + bf^ = c over ¥q. 
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